PrivacyPH.org/research Privacy Interests in Health Research

This wiki aims to discuss privacy issues in health research and to propose specific Privacy Code for the Privacy Guidelines (based on RA 10173). The main Code-drafting exercise for the Guidelines is done here. While the immediate application of the exercise is limited to the Philippine Health Information Exchange (PHIE), the rules crafted here may have an impact on health research in the Philippines in general. In a parallel development, the National Privacy Commission (NPC) has just been constituted. You may also consider engaging the Commission directly on special issues in research privacy.

Privacy Code relating to research (especially health research) are proposed towards the end of this page. Well thought-out changes, additions, suggestions, comments are most welcome.

General Issues

Consent from research subjects may be necessary but not sufficient to protect their rights (including privacy).

NDA and confidentiality arrangements are not sufficient for privacy-compliance. The Data Privacy Act of 2012 regulates the processing of personal information. “Processing” “refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.” An institution could be processing personal information illegitimately without violating NDA and confidentiality arrangements or agreements.

Is there any interaction with a living person through this activity? If yes, POSSIBLE privacy regulation. If no, will identifiable personal information be obtained from this activity, yes or no? If yes, possible privacy regulation. If no, no privacy regulation should be applied.

Research subjects do not lose their rights as data subjects just because they participate freely in research. These privacy rights include in part the ff (Sec 16ff, RA 10173):

“(a) Be informed whether personal information pertaining to him or her shall be, are being or have been processed;

(b) Be furnished the information indicated hereunder before the entry of his or her personal information into the processing system of the personal information controller, or at the next practical opportunity:

(1) Description of the personal information to be entered into the system;
(2) Purposes for which they are being or are to be processed;
(3) Scope and method of the personal information processing;
(4) The recipients or classes of recipients to whom they are or may be disclosed;
(5) Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized;
(6) The identity and contact details of the personal information controller or its representative;
(7) The period for which the information will be stored; and
(8) The existence of their rights, i.e., to access, correction, as well as the right to lodge a complaint before the Commission.

Any information supplied or declaration made to the data subject on these matters shall not be amended without prior notification of data subject: Provided, That the notification under subsection (b) shall not apply should the personal information be needed pursuant to a subpoena or when the collection and processing are for obvious purposes, including when it is necessary for the performance of or in relation to a contract or service or when necessary or desirable in the context of an employer-employee relationship, between the collector and the data subject, or when the information is being collected and processed as a result of legal obligation;

(c ) Reasonable access to, upon demand, the following:

(1) Contents of his or her personal information that were processed;
(2) Sources from which personal information were obtained;
(3) Names and addresses of recipients of the personal information;
(4) Manner by which such data were processed;
(5) Reasons for the disclosure of the personal information to recipients;
(6) Information on automated processes where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect the data subject;
(7) Date when his or her personal information concerning the data subject were last accessed and modified; and
(8) The designation, or name or identity and address of the personal information controller;

(d) Dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal information have been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by recipients thereof: Provided, That the third parties who have previously received such processed personal information shall he informed of its inaccuracy and its rectification upon reasonable request of the data subject;

(e) Suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected. In this case, the personal information controller may notify third parties who have previously received such processed personal information; and

(f) Be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.”

(1) Transparency in regard to policies and practices relating to the management of personal information in the research project .
(2) Legitimate Purpose - clear purpose for which personal information is collected at or before the time the information is collected.
(3) Proportionality - the collection of personal information shall be limited to that which is necessary for the purposes indicated in the study protocol. Information shall be collected by fair and lawful means.
(4) Accountability - designation of specific individual or individuals who are accountable for the organization's privacy compliance.
(5) Consent - from data or research subjects for the collection, use, or disclosure of personal information, except when inappropriate (as determined by a duly constituted ethics committee).
(6) Limiting Use, Disclosure and Retention - personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes indicated in the study protocol.
(7) Accuracy of personal information. It shall also be complete and up-to-date for the purposes for which it is to be used.
(8) Safeguards - security safeguards appropriate to the sensitivity of the information.
(9) Access - research or data subjects shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. When the accuracy and completeness of information is challenged, research or data subjects may have it amended as appropriate.
(10) Challenge and Compliance - making clear to research or data subjects the processes for privacy challenge, incident reporting, and compliance.

-

Issues in Non-applicability Clause in RA 10173

Section 19 of RA 10173: “Non-Applicability. … not applicable if the processed personal information are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, That the personal information shall be held under strict confidentiality and shall be used only for the declared purpose. Likewise, the immediately preceding sections are not applicable to processing of personal information gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject.”

Is “non-applicability” equal to “exemption” from the privacy law or equal to non-observance of rights of data subjects? Maybe not. Doesn't the clause refer to just at most 2 sections immediately preceding Section 19, namely Sections 17 and 18?

“only for the needs of scientific AND statistical research.” What about qualitative, non-statistical, social or psychological research involving sensitive personal information and intimate personal details? In the first place, who or which institution will determine which activity constitutes research to merit “exemption”?

“no decisions are taken regarding the data subject.” Just what decisions are these exactly? By “no” as in “none,” including the very decision to take the data subject's personal information?

“only for the declared purpose.” What about derivative studies not explicitly declared in the study protocol? What about studies needing “open consent”?

“strict confidentiality” - does this mean having the same data security rules for research?

Section 4(d) appears to provide a global “non-applicability” for research. But that doesn't sit well with the above provisions that are clearly about limited exception. Having a blanket exception does not necessarily help research because that will mean having a research regime incompatible at least with its North American and EU counterparts that extend privacy protection to research and data subjects alike. That can mean, in part, being excluded from multi-country research projects. There's also the risk of databases just being arbitrarily labelled as part of “research” in order to avoid privacy regulations.

Inclusion of Research in Privacy Coverage as Part of the International Norm